Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

GDPR > Chapter 7 Sensitive data > Flashcards

Chapter 7 Sensitive data Flashcards

1
Q

Which are special categories of data

A

racial, ethnic origin
political opinion
trade union membership
religious and philosophical beliefs
genetic and biometric data for the purpose of uniquely identifying a natural person
data concerning health
sexual life, orientation

the choice of categories influenced by anti-discrimination laws

Article 9
processing is prohibited

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Are photographs automatically considered sensitive (biometric) data?

A

Only when they are processed through specific technical means that allow the unique identification or authentication of an individual

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What options have member states in terms of sensitive data?

A

They can introduce further conditions, including limitations for the processing of genetic data, biometric data and data concerning health
Data on criminal convictions and offences - Article 10:
- can only be carried out under the control of official authority or
- when P is authorised by Union or Member state law providing for appropriate safeguards for the rights and freedoms of DS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which is the first convention dealing with SD

A

Convention 108

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the reason for special protection of PS?

A

they are particularly sensitive in relation to FRF and therefore merit specific protection since the context could create significant risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which conditions must C meet when processing SD?

A

it is prohibited, but there are narrow exceptions
Under Article 6 and 9 GDPR
Under Articles 12-14 - notification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the exceptions

A

explicit consent of DS

employment, social security, social protection law

vital interests

foundation, association, non-for-profit organisation with a political, philosophical, religious or trade union aim

sensitive data are made public by the DS

establishment, exercise or defense of legal claims

reasons of substantial public interest

preventive or occupational medicine, work capacity assessment, medical diagnosis, provision of health or social care or treatment
management of health and social care systems and services

reasons of public interest in the area of public health

archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

SD - Explain explicit consent exclusion

A

consent must be freely given, specific, informed, unambigous but also EXPLICIT =STATEMENT OR CLEAR AFFIRMATIVE ACTION TO SIGNIFY AGREEMENT; IT REFERS TO THE WAY CONSENT IS EXPRESSED - DS must provide an express statement of consent.

Consent must also state the purposes of the processing
Good idea to include the the actual data or categories of data
Be in writing or documented in some other permanent record

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How can an express statement of consent be provided in an online environment?

A

by filling in an electronic form, sending an email, using electronic signatures, employing 2-stage verification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the rights of Member states regarding the explicit consent?

A

MS Law may stipulate giving consent is not enough to avoid prohibition on processing sensitive data. The C will need to look for another supporting criterion.

Guidance from DPAs will define what is required to meet explicit consent standard; e.g. they must be in writing (difficulties for collecting SD through internet especially if the local law doesn’t accept consent expressed in electronic form as evidence of written consent)
different positions through different jurisdictions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

SD - explain “employment, social security, social protection law” exclusion

A

Processing is necessary for the C to comply with a legal obligation under employment, social security, social protection law, e.g. candidates, employees, contractors
Necessity test!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

SD - explain “vital interests” exclusion

A

situation of life and death
Similar to Article 6 but in this case the C must be able to demonstrate it is not possible to obtain consent because DS is physically or legally incapable of giving it. The C must attempt to obtain consent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

SD - explain “foundation, association, non-for-profit organisation with a political, philosophical, religious or trade union aim” exclusion

A

relates to nonprofit institutions such as churches, political parties
processing relates to members or ex-members
the C must comply with all other requirements of GDPR and processing can only take place:
- in the course of their legitimate activity
- with appropriate safeguards
- in connection with their specific purposes
They are not allowed to share data outside organisation without DS’s explicit consent
Further requirements can be defined by local law.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

SD - explain “sensitive data are made public by the DS” exclusion

A

DS deliberately discloses SD about themselves (eg.. in an interview)
But the use of this data is not unregulated!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

SD - explain “establishment, exercise or defense of legal claims” exclusion

A

the Necessity test - close connection btw the processing and the purposes
Example: the insurance company processes medical data to determine if DS’s claim for medical insurance is valid

Also - processing is necessary whenever courts are acting in judicial capacity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

SD - explain “reasons of substantial public interest” exclusion

A

MS can set down in law what they consider to be in a substantial public interest but the law must be 1) proportionate to the aim pursued and 2) show respect to the essence of the right to data protection and 3) provide measures to safeguard fundamental rights and interest of DS
E.g. activities of NHS

17
Q

SD - explain “preventive or occupational medicine, work capacity assessment, medical diagnosis, provision of health or social care or treatment, management of health and social care systems and services” exclusion

A

Medical or social care purpose
carried out on the basis of EU or MS law or under contract with medical professional who must be under obligation of professional secrecy
e.g. doctors, nurses…

18
Q

SD - explain “reasons of public interest in the area of public health” exclusion

A

designed to cover processing of health data by those enageged in** public health care**, supervision of drugs and medical devices to ensure quality and safety

19
Q

SD - explain “archiving purposes in the public interest, scientific or historical research purposes or statistical purposes” exclusion

A

Appropriate safeguards - T&O measures
must be necessary for one of these purposes based on EU or MS law
must be proportionate
must respect the essence of the right to data protection

20
Q

Is data on criminal convictions and offences sensitive data?

A

No, but there are additional requirements in place in Article 10 GDPR:
data must be processed under control of official authority or when processing is authorised by EU or MS law providing for appropriate safeguards for the rights and freedoms of DS

GDPR (11 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions